I am not a security expert, so anything I say below might not be 100% correct or accurate. I just want to apologize in advance should I end up badly abusing terminology.
I'm getting increasingly more desperate as I earn a living as a graphic designer and I have no viable way to make income while this thing continues to ruthlessly infect my systems.
It all started when I noticed Windows acting strangely a couple weeks ago. These include various small issues like:
1. Laggy screen redraw/paint speed with no applications running and classic mode set to "high performance" despite having a very powerful computer and two GTX580's in SLI.
2. Strange events showing up in the event log - large amounts of CAPI2 and cryptography related functions failing and throwing errors
3. GMER output showing modifications to svchost.exe and a few other native windows processes
4. Several other quirks / symptoms with google searches and web browsing that indicated DNS was being tampered with
5. Nmap and netstat revealing several ports open that definitely should not be on several computers in my house, Wireshark showing encrypted packets being sent from said ports
I began by formatting my HD, recreating the partition table, and reinstalling windows. To my disbelief, despite the fact I was using original media directly from Microsoft, windows installed and automatically attached me to a domain, and loaded several non-default security policies. Firefox showed NT style 404 pages. My fresh install of Windows 7 was behaving like a PXE style Windows NT install. Certificates and crypto related functions were also heavily tampered with, leaving several hundred errors with CAPI2 in the event log. At this point, I knew that something extremely strange was going on.
I then went on to burn Linux LiveCDs like Parted Magic / Deft as well as several other various antivirus CDs, but it became increasingly more apparant that the infection is highly OS/platform independent. It doesn't matter if I am running completely in RAM either. Infection is identical even with all obvious external non-volitile storage disconnected (HDs, DVDRW, etc). I flashed my BIOS several times as well. Unfortunately the BIOS flash completes in an unrealistically short amount of time (I.E. instantly), leading me to believe that it's not actually flashing the real BIOS, but a virtualized BIOS. Payloads are automatically created and delivered via a poisoned squashfs filesystem on Linux, (corrupted grub, efiboot.img, initrd, pxelinux, etc) and some kind of WinPE flavored hack on a Windows installation that I'm sure uses a variety of exploits to transform a normal install into a tainted PXE install. The BIOS also indicates a microcode patch on my i7, I'm not sure if this is normal or a byproduct of the rootkit.
It's also managed to worm its way into my fiances brand new Macbook Pro as well. She now has an irremovable "Remote CD" showing up in finder along with several hundred other oddities when I do a simple ps -Al in terminal/bash. I also suspect some kind of GPU paravirtualization going on - despite having two GTX580 3gb cards in SLI, screen redraw remains extremely slow and laggy. With TCPview in windows I was able to spot a transient connection (it appeared and then dissappeared in a matter of 1-3 seconds) to a remote IP with a resolved name that included "HyperV" - I can't remember the exact name, but it obviously leads me to suspect some kind of Hypervisor related virtualization. This was without any browser windows open.
The infection seems to spread very easily via USB. While trying to create a clean liveCD from another computer, I simply plugged in a mouse that I had lying around (which at one point connected to my infected PC) into a clean PC, and it instantly installed 4 separate USB drivers along with its payload (whatever that may be) and the infection began once again. After reboot the BIOS itself was virtualized (I think) and the computer was essentially toast and acted identically to the infected machine. So this indicates to me that it is aggressively flashing any kind of firmware it can.
Anyway, the reason I'm posting here is simply because I'm extremely desperate for a solution to rid myself of this. I realize that most posts on bleeping computer tend to deal with less sophisticated infections than this, I guess I am just hoping there is someone out there that can shed some light on this as I just quite simply don't have any idea what to do. I've never encountered an infection as sophisticated and persistent as this (OS independent bare metal virtulization), and I just want to be able to work again.
I'm at a complete loss as to how to remove this - I suspect that I will have to re-flash all non volatile storage simultaneously, but with limited development knowledge, little knowledge of Linux, and an unfamiliarity of low level hardware/software processes, this sounds like an impossibly huge and frustrating mountain to climb (It's taken me a few weeks just to figure out a fraction of what's even happening). If I didn't have thousands of dollars worth of hardware (this is a brand new custom rig), discarding everything would be an easier pill to swallow, but I just can't bring myself to accept that as a solution, especially since I'm in a pretty bad financial situation as it is, and my livelyhood depends on me having a functional computer to work on.
I have binaries that have been captured from this infection as well as various logs if anyone here can take a look. I am also more than happy to provide samples, I would just caution anyone that running them could be very dangerous as I'm pretty certain the payload is VM aware. I can easily induce the infection in Linux and Windows by booting via liveCD or my windows disk and run any kind of application or tool if asked. By looking at the poisoned image that is mounted in linux, it's easy to distinguish the tainted files by looking at modification timestamps.
Even just a positive identification of this rootkit would be a tremendous help to me so I know where to start. I just want to know if there anything I can do that doesn't involve throwing away over $6000 worth of hardware.
Thanks much for any kind of information / help.
Edited by sentience, 26 April 2014 - 03:31 AM.